Index: content/common/content_security_policy/content_security_policy_unittest.cc |
diff --git a/content/common/content_security_policy/content_security_policy_unittest.cc b/content/common/content_security_policy/content_security_policy_unittest.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..6a6c02c995f11e0e3aa2de1c2fd1ad20e2954a0b |
--- /dev/null |
+++ b/content/common/content_security_policy/content_security_policy_unittest.cc |
@@ -0,0 +1,128 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/common/content_security_policy/csp_context.h" |
+#include "content/common/content_security_policy_header.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace content { |
+ |
+namespace { |
+class CSPContextTest : public CSPContext { |
+ public: |
+ const std::string& LastConsoleMessage() { return console_message_; } |
+ |
+ private: |
+ void LogToConsole(const std::string& message) override { |
+ console_message_ = message; |
+ } |
+ std::string console_message_; |
+}; |
+ |
+} // namespace |
+ |
+TEST(ContentSecurityPolicy, NoDirective) { |
+ CSPContextTest context; |
+ std::vector<std::string> report_end_points; // empty |
+ ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
+ blink::WebContentSecurityPolicySourceHTTP, |
+ std::vector<CSPDirective>(), report_end_points, |
+ "" /* header */); |
+ |
+ EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
+ GURL("http://www.example.com"), |
+ &context)); |
+ EXPECT_EQ("", context.LastConsoleMessage()); |
+} |
+ |
+TEST(ContentSecurityPolicy, ReportViolation) { |
+ CSPContextTest context; |
+ |
+ // source = "www.example.com" |
+ CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, |
+ ""); |
+ CSPSourceList source_list(false, false, {source}); |
+ CSPDirective directive(CSPDirective::FormAction, source_list); |
+ std::vector<std::string> report_end_points; // empty |
+ ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
+ blink::WebContentSecurityPolicySourceHTTP, |
+ {directive}, report_end_points, "" /* header */); |
+ |
+ EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
+ GURL("http://www.not-example.com"), |
+ &context)); |
+ |
+ const char console_message[] = |
+ "Refused to send form data to 'http://www.not-example.com/' because it " |
+ "violates the following Content Security Policy directive: \"form-action " |
+ "www.example.com\".\n"; |
+ EXPECT_EQ(console_message, context.LastConsoleMessage()); |
+} |
+ |
+TEST(ContentSecurityPolicy, DirectiveFallback) { |
+ CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ CSPSourceList source_list_a(false, false, {source_a}); |
+ CSPSourceList source_list_b(false, false, {source_b}); |
+ |
+ std::vector<std::string> report_end_points; // Empty. |
+ |
+ { |
+ CSPContextTest context; |
+ ContentSecurityPolicy policy( |
+ blink::WebContentSecurityPolicyTypeEnforce, |
+ blink::WebContentSecurityPolicySourceHTTP, |
+ {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, |
+ report_end_points, "" /* header */); |
+ EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://b.com"), &context)); |
+ const char console_message[] = |
+ "Refused to frame 'http://b.com/' because it violates " |
+ "the following Content Security Policy directive: \"default-src " |
+ "http://a.com\". Note that 'frame-src' was not explicitly " |
+ "set, so 'default-src' is used as a fallback.\n"; |
+ EXPECT_EQ(console_message, context.LastConsoleMessage()); |
+ EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://a.com"), &context)); |
+ } |
+ { |
+ CSPContextTest context; |
+ ContentSecurityPolicy policy( |
+ blink::WebContentSecurityPolicyTypeEnforce, |
+ blink::WebContentSecurityPolicySourceHTTP, |
+ {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, |
+ report_end_points, "" /* header */); |
+ EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://b.com"), &context)); |
+ const char console_message[] = |
+ "Refused to frame 'http://b.com/' because it violates " |
+ "the following Content Security Policy directive: \"child-src " |
+ "http://a.com\". Note that 'frame-src' was not explicitly " |
+ "set, so 'child-src' is used as a fallback.\n"; |
+ EXPECT_EQ(console_message, context.LastConsoleMessage()); |
+ EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://a.com"), &context)); |
+ } |
+ { |
+ CSPContextTest context; |
+ CSPSourceList source_list(false, false, {source_a, source_b}); |
+ ContentSecurityPolicy policy( |
+ blink::WebContentSecurityPolicyTypeEnforce, |
+ blink::WebContentSecurityPolicySourceHTTP, |
+ {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), |
+ CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, |
+ report_end_points, "" /* header */); |
+ EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://a.com"), &context)); |
+ EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
+ GURL("http://b.com"), &context)); |
+ const char console_message[] = |
+ "Refused to frame 'http://b.com/' because it violates " |
+ "the following Content Security Policy directive: \"frame-src " |
+ "http://a.com\".\n"; |
+ EXPECT_EQ(console_message, context.LastConsoleMessage()); |
+ } |
+} |
+ |
+} // namespace content |